Arkansas Healthcare Association of Access Managers 2009 Fall Meeting November 19, 2009

Arkansas Healthcare Arkansas Healthcare Association Association

of of

Access ManagersAccess Managers

2009 Fall Meeting2009 Fall Meeting

November 19, 2009

TOPICSTOPICS

HIPAA RevisionsHIPAA Revisions

Security Breach Security Breach & &

Red Flags RuleRed Flags Rule

EMTALAEMTALA

HIPAAHIPAA

The American Recovery and The American Recovery and Reinvestment Act of 2009 Reinvestment Act of 2009 contained several revisions to contained several revisions to the HIPAA regulations. the HIPAA regulations.

Some of these revisions Some of these revisions became effective in 2009, and became effective in 2009, and others will be implemented others will be implemented over the next few years.over the next few years.

HIPAA REVISIONSHIPAA REVISIONS

PENALTIESPENALTIES(effective now)(effective now)

HIPAA PenaltiesHIPAA Penalties

The revisions clarify that criminal penalties will The revisions clarify that criminal penalties will also be extended to employees of Covered also be extended to employees of Covered Entities. Entities.

Civil money penalties have been increased and Civil money penalties have been increased and will be tiered based on the type of violation.will be tiered based on the type of violation.

Monies received from penalties or settlements Monies received from penalties or settlements will be transferred to the Office for Civil Rights, will be transferred to the Office for Civil Rights, and by 2012, individuals who are harmed by and by 2012, individuals who are harmed by HIPAA violations will be able to receive a HIPAA violations will be able to receive a percentage of these monies as damages.percentage of these monies as damages.

HIPAA PenaltiesHIPAA PenaltiesUnknowing violations: $100 to $50,000 per violation, up to a maximum of $1,500,000 per year.

Violations due to reasonable cause: $1000 to $50,000 per violation, up to a maximum of $1,500,000 per year.

Violations due to willful neglect: (if the violation is corrected): $10,000 to $50,000 per violation, up to a maximum of $1,500,000 per year

Violations due to willful neglect: (that are not corrected): At least $50,000 per violation, up to a maximum of $1.5 million per year.

Note, the limits refer to “violations of identical requirement or prohibition.” So, if there is more than one type of violation, penalties may be dramatically increased.

HIPAA REVISIONSHIPAA REVISIONS

BREACHBREACHNOTIFICATIONNOTIFICATION

REQUIREMENTSREQUIREMENTS(effective now)(effective now)

Breach Notification Breach Notification RequirementsRequirements

Covered Entities are now Covered Entities are now required to notify affected required to notify affected individuals of a Breach of individuals of a Breach of unsecured PHIunsecured PHI..


A “A “BreachBreach” means a use or disclosure of ” means a use or disclosure of PHI in a manner not allowed under the PHI in a manner not allowed under the HIPAA regulations that HIPAA regulations that poses a poses a significant risk of financial, reputational significant risk of financial, reputational or other harmor other harm to the affected to the affected individuals.individuals.

““Unsecured PHIUnsecured PHI” is PHI that has not ” is PHI that has not been encrypted, destroyed or otherwise been encrypted, destroyed or otherwise made unreadable to unauthorized made unreadable to unauthorized individuals.individuals.


If a HIPAA violation occurs, a If a HIPAA violation occurs, a “risk assessment” must be “risk assessment” must be performed to determine whether performed to determine whether the violation was also a Breach the violation was also a Breach (whether the impermissible use (whether the impermissible use or disclosure results in a serious or disclosure results in a serious risk of harm).risk of harm).


Risk assessments should be fact Risk assessments should be fact specific and must be documented. specific and must be documented.

Documentation must be kept for 6 Documentation must be kept for 6 years and must include whether years and must include whether the incident was determined to be the incident was determined to be a Breach and the reason for the a Breach and the reason for the determination.determination.


Exceptions to BreachExceptions to Breach::1.1. Unintentional use or disclosure by an Unintentional use or disclosure by an employee employee acting within the scope of acting within the scope of employment if no employment if no additional use or additional use or disclosure occurs.disclosure occurs.2.2. Inadvertent disclosure from one Inadvertent disclosure from one authorized person authorized person to another authorized to another authorized person at the Covered Entity.person at the Covered Entity.3.3. Unauthorized disclosure if the person Unauthorized disclosure if the person who received who received the disclosure couldn’t the disclosure couldn’t reasonably be expected to reasonably be expected to keep or keep or remember the information.remember the information.


If a Breach has occurred, steps If a Breach has occurred, steps must be taken to reduce harmful must be taken to reduce harmful effects of the Breach.effects of the Breach.

Examples include:Examples include:Notifying law enforcementNotifying law enforcementContacting affected individualsContacting affected individualsUpdating security, changing Updating security, changing

pass codes, pass codes, etc.etc.


Risk assessments and actions to Risk assessments and actions to mitigate must be taken in a timely mitigate must be taken in a timely manner.manner.

A Breach is “discovered” when the A Breach is “discovered” when the incident is discovered, not when there incident is discovered, not when there is a determination that the incident is a determination that the incident was a Breach.was a Breach.

Notice must be provided Notice must be provided as soon as as soon as reasonably possiblereasonably possible, within a maximum , within a maximum of 60 days – unless law enforcement of 60 days – unless law enforcement requests a delay.requests a delay.


Notice to IndividualsNotice to Individuals::

1.1. Written notice, in clear language;Written notice, in clear language;2.2. Description of the incident;Description of the incident;3.3. Description of the information Description of the information involved;involved;4.4. Description of the investigation Description of the investigation and what is and what is being done to mitigate being done to mitigate harm;harm;5.5. Steps individuals should take to Steps individuals should take to protect protect themselves;themselves;6.6. Contact procedures for obtaining Contact procedures for obtaining additional additional information.information.


Notice to IndividualsNotice to Individuals::

Must be sent by first-class mail.Must be sent by first-class mail.

Substitute notice may be provided Substitute notice may be provided if contact information is out-of-date if contact information is out-of-date (website, newspapers, radio or TV).(website, newspapers, radio or TV).

Notice on the website must be Notice on the website must be posted for 90 days.posted for 90 days.


Notice to the MediaNotice to the Media::

If a Breach involves more than If a Breach involves more than 500 residents of a state or 500 residents of a state or jurisdiction (city or county), jurisdiction (city or county), notice to the media must be notice to the media must be provided in addition to individual provided in addition to individual notice. notice.


Notice to the Secretary of HHSNotice to the Secretary of HHS::

If a Breach involves 500 or more If a Breach involves 500 or more individuals (regardless of where they individuals (regardless of where they are located), the Secretary of HHS are located), the Secretary of HHS must be notified at the same time and must be notified at the same time and in the same manner as individuals.in the same manner as individuals.

If a Breach involves less than 500 If a Breach involves less than 500 individuals, a log must be maintained individuals, a log must be maintained of the Breach. This log must be of the Breach. This log must be submitted to the Secretary annually. submitted to the Secretary annually.


All members of the Covered Entity’s All members of the Covered Entity’s workforce (employees, medical staff, workforce (employees, medical staff, students, contractors, etc.) must be students, contractors, etc.) must be trained on identifying and reporting trained on identifying and reporting possible Breaches. possible Breaches.

Policies for identifying and responding Policies for identifying and responding to Breaches must be established, and to Breaches must be established, and these policies must provide for these policies must provide for sanctions if individuals fail to comply. sanctions if individuals fail to comply.

New HIPAA ProvisionsNew HIPAA Provisions

ACCOUNTING ACCOUNTING

forfor

DisclosuresDisclosures(coming soon)(coming soon)

Accounting for Accounting for DisclosuresDisclosures

If Covered Entities use electronic health If Covered Entities use electronic health records, they will soon have to begin records, they will soon have to begin accounting for disclosures for treatment, accounting for disclosures for treatment, payment and health care operations.payment and health care operations.

Individuals have a right to receive an Individuals have a right to receive an accounting of these disclosures for three years.accounting of these disclosures for three years.

A reasonable fee may be imposed when an A reasonable fee may be imposed when an individual requests an accounting of these types individual requests an accounting of these types of disclosures, but it cannot exceed more than of disclosures, but it cannot exceed more than the entity’s labor cost in responding to the the entity’s labor cost in responding to the request.request.

Accounting for Accounting for DisclosuresDisclosures

Covered Entities with electronic health records as Covered Entities with electronic health records as of January 1, 2009, must comply on and after of January 1, 2009, must comply on and after January 1, 2014.January 1, 2014.

Covered Entities that begin using electronic health Covered Entities that begin using electronic health records after January 1, 2009 must comply on the records after January 1, 2009 must comply on the later of January 1, 2011 or the date they acquire later of January 1, 2011 or the date they acquire the electronic health record.the electronic health record.

HIPAAHIPAAPreview of Coming AttractionsPreview of Coming Attractions: :

Penalties will apply to Business Associates in the same Penalties will apply to Business Associates in the same manner as they apply to Covered Entities.manner as they apply to Covered Entities.

Covered Entities will be required to comply with requests Covered Entities will be required to comply with requests not to disclose PHI for treatment, payment or healthcare not to disclose PHI for treatment, payment or healthcare operations if the PHI pertains solely to health care paid in operations if the PHI pertains solely to health care paid in full by the individual, out-of-pocket.full by the individual, out-of-pocket.

Disclosures must be limited to the limited data set or Disclosures must be limited to the limited data set or “minimum necessary” to accomplish the purpose of the “minimum necessary” to accomplish the purpose of the disclosure.disclosure.

There will be new marketing restrictions, and individuals There will be new marketing restrictions, and individuals will have to be given the opportunity to opt out of will have to be given the opportunity to opt out of fundraising activities.fundraising activities.

HIPAAHIPAA

Preview of Coming AttractionsPreview of Coming Attractions: :

DHHS will establish a method for individuals who are DHHS will establish a method for individuals who are harmed by HIPAA violations to receive a percent of civil harmed by HIPAA violations to receive a percent of civil money penalties collected.money penalties collected.

State Attorneys General will be able to sue Covered State Attorneys General will be able to sue Covered Entities for HIPAA violations on behalf of state residents.Entities for HIPAA violations on behalf of state residents.

The OIG will begin performing random audits to make The OIG will begin performing random audits to make sure that Covered Entities and Business Associates are in sure that Covered Entities and Business Associates are in compliance with HIPAA.compliance with HIPAA.

HIPAAHIPAA

Preparing for Change: Preparing for Change:

Update HIPAA PoliciesUpdate HIPAA Policies

Update Business Associate AgreementsUpdate Business Associate Agreements

Revise Notices of Privacy PracticesRevise Notices of Privacy Practices

Re-train EmployeesRe-train Employees

QuestionsQuestions

aboutabout

HIPAA?HIPAA?

SECURITYSECURITY

BREACHBREACH

SECURITY BREACHSECURITY BREACH

A security breach, under Arkansas law, is unauthorized acquisition of data that compromises the security, confidentiality or integrity of personal information, such as a patient’s medical record or account information.

The good faith acquisition of personal information by an employee for the legitimate purposes of the business is not a security breach so long as the information is not otherwise used or subject to further unauthorized disclosure.


“Personal information" means an individual's first name or first initial and his or her last name in combination with any of the following:

a. Social security number;b. Driver's license or Arkansas identification number;c. Account number, credit card number, or debit card number and any security code, or password; andd. Medical information.

"Records" means any material that contains sensitive personal information in electronic form.

"Records" does not include any publicly available directories containing information an individual has voluntarily consented to have publicly listed, such as name, address, or phone number


Arkansas requires businesses that maintain “personal information” (account information, medical information, etc.) about Arkansas residents to implement and maintain reasonable security procedures and practices appropriate to protect this information from unauthorized access, destruction, use, modification or disclosure.


Arkansas also requires business to disclosure Arkansas also requires business to disclosure security breaches to the affected individuals.security breaches to the affected individuals.

The disclosure must be made “without The disclosure must be made “without unreasonable delay”.unreasonable delay”.

Notification may be delayed only if a law Notification may be delayed only if a law enforcement agency determines that notification enforcement agency determines that notification will impede a criminal investigation.will impede a criminal investigation.

Federal Law – Red Flags RuleFederal Law – Red Flags Rule

Requires “Creditors” to implement an Requires “Creditors” to implement an identity theft prevention program.identity theft prevention program.

Creditor has been broadly defined to include Creditor has been broadly defined to include anyone that regularly grants the right to anyone that regularly grants the right to defer payment of a debt – this includes the defer payment of a debt – this includes the majority of hospitals and physician practices. majority of hospitals and physician practices.

Federal Law – Red Flags RuleFederal Law – Red Flags Rule

The Red Flags Rule requires:The Red Flags Rule requires:

(i) written policies to address the protection and security of (i) written policies to address the protection and security of personal information of customers;personal information of customers;

(ii) routine audits to monitor for and identify unauthorized (ii) routine audits to monitor for and identify unauthorized access;access;

(iii) methods for notifying individuals and mitigating (iii) methods for notifying individuals and mitigating damages if a identity theft occurs; anddamages if a identity theft occurs; and

(iv)(iv) periodic review and revision of policies, if necessary.periodic review and revision of policies, if necessary.

Red Flags RuleRed Flags RuleDEFINITIONS:

“Covered Account” - (i) an account that involves multiple payments or

transactions, including one or more deferred payments; or(ii) an account that has a reasonably foreseeable risk

of identity theft to customers or to the safety and soundness of the institution.

“Identity Theft” - fraud that involves stealing money or receiving benefits by using another person’s identity.

“Red Flag” – a pattern, practice or specific activity that indicates possible existence of identity theft.


Compliance:

Perform a risk assessment to identify accounts that have a high risk of use in identity theft (“Covered Accounts”).

Any patient account or payment plan that involves multiple payments would likely be a Covered Account. For healthcare providers this will include all patient accounts.

Red Flags RuleRed Flags RuleCompliance:

Develop policies and procedures to address the protection and security of personal information of customers;

Perform routine audits to monitor for and identify unauthorized access; and

Notify individuals and mitigate damages if a security breach occurs.


Four Main Requirements:

Identify red flagsDetect red flagsRespond to red flagsUpdate the program as needed

Red Flags RuleRed Flags RuleExamples of Red Flags:

Suspicious or altered documents.

Identification cards that are inconsistent with the person’s appearance.

Failure or refusal to provide identifying information.

Inability to verify insurance information.

Notice from a patient of possible identity theft.

Routine audit reveals unauthorized account access.


Examples of Red Flags:

Medical information provided by the patient differs from that in the medical record.

Family members or friends reveal suspicious information to staff members, such as calling the patient by a different name.

Reports from patients that they received bills for services that were not received.


Detect Relevant Red Flags:

Once relevant Red Flags have been identified, procedures must be adopted to detect Red Flags so appropriate responses may be implemented.



All appropriate employees must be educated on identifying relevant Red Flags and notifying the appropriate individual any time a Red Flag is detected.



Measures to detect Red Flags should be based on the risk assessment. Examples include:

Collecting identifying information each time a new account is opened;

Viewing a photo ID or insurance card;

Comparing patient information with information already contained in existing records.



For providers who do not deal directly with patients, an alternate method of verifying the patient’s identity should be used.

This might include contacting patients, patient representatives, and/or insurance companies to confirm validity of information received, or requesting copies of identifying information used by the patient referral source.



Any time a Red Flag is detected:

* The event should be documented;* The appropriate individual should be notified; and * An investigation should be

conducted.


Response to Red Flags:

The response to Red Flags should be based on the results of the investigation.

Responses should be geared toward mitigation of harmful effects.


Response Examples:

Contact the patientNotify law enforcementCorrect the medical recordCorrect the accountChange passwords or security codesUpdate computer securityDetermine no action is necessary


Response:

If an investigation leads to a reasonable belief that identity theft has occurred, affected individuals should be provided with information regarding:

* The scope of the breach;* The information accessed;* How the information was used (if known); &* Actions taken to remedy the situation.


Documentation:

All incidents of actual or suspected identity theft must be documented.

This documentation must be maintained for 5 years after the account is closed or becomes dormant.


Documentation should include:

Identifying information about the individual;

A description of any document relied on to verify identity;

A description of any additional measures used to verify identity; and

A description of the discrepancies discovered.


Updates -- Periodic risk assessments must be performed and polices updated in response to:

New accounts,

Changes in business practices,

Experiences with identity theft,

Changes in methods to detect, prevent and mitigate identity theft, or

Changes in identity theft experienced by the industry.


Compliance Reports:

Periodic compliance reports must be provided to the governing body.

These reports must detail the effectiveness of the policy, recommendations for policy revisions, any incidents of identity theft and the actions taken in response.

QUESTIONS QUESTIONS

about about

RED FLAGS?RED FLAGS?

EMTALAEMTALA

3 Primary Requirements3 Primary Requirements

Medical Screening Exam (MSE)Medical Screening Exam (MSE)

Necessary Stabilizing TreatmentNecessary Stabilizing Treatment

Appropriate TransferAppropriate Transfer

MSEMSE

Must perform on anyone who “Comes to the Must perform on anyone who “Comes to the Emergency Department” and requests Emergency Department” and requests examination or treatment of a medical condition examination or treatment of a medical condition in order to determine whether an emergency in order to determine whether an emergency exists.exists.

The MSE must be appropriate for the patient’s The MSE must be appropriate for the patient’s symptoms, within the hospital’s capabilities.symptoms, within the hospital’s capabilities.

EMTALAEMTALA

““Comes to the Emergency Department” meansComes to the Emergency Department” means : :

Presents at the hospital’s dedicated ED & requests an exam or Presents at the hospital’s dedicated ED & requests an exam or treatment;treatment;

Presents on hospital property, other than the ED, and requests Presents on hospital property, other than the ED, and requests exam or treatment for what may be an emergency;exam or treatment for what may be an emergency;

Is in an ambulance owned & operated by the hospital for exam Is in an ambulance owned & operated by the hospital for exam and treatment, but is not on hospital grounds; orand treatment, but is not on hospital grounds; or

Is in a non-hospital owned ambulance on hospital property for Is in a non-hospital owned ambulance on hospital property for exam & treatment of a medical condition.exam & treatment of a medical condition.

NO DELAY IN TREATMENTNO DELAY IN TREATMENT

An MSE (and necessary stabilizing An MSE (and necessary stabilizing treatment) may not be delayed to inquire treatment) may not be delayed to inquire about method of payment or insurance about method of payment or insurance status. status.


Insurance authorization may not be done Insurance authorization may not be done until until afterafter appropriate screening and appropriate screening and necessary stabilizing treatment are necessary stabilizing treatment are provided. provided.


Registration procedures may be followed so Registration procedures may be followed so long as they do not delay medical screening long as they do not delay medical screening or treatment. or treatment.

The registration process may not The registration process may not discourage individuals from remaining for discourage individuals from remaining for further evaluation.further evaluation.


CMS has indicated that any procedures, CMS has indicated that any procedures, signs, etc., that induce an individual to leave signs, etc., that induce an individual to leave the ED before they receive an MSE places the ED before they receive an MSE places the hospital at risk of an EMTALA the hospital at risk of an EMTALA violation.violation.


If ED patients who do not have emergencies If ED patients who do not have emergencies are expected to pay for services at the time are expected to pay for services at the time of treatment, such financial discussions of treatment, such financial discussions should not occur until after the patient has should not occur until after the patient has received an MSE and it has been received an MSE and it has been determined that no emergency condition determined that no emergency condition exists.exists.


A hospital was recently fined for violating A hospital was recently fined for violating EMTALA because a patient with chest pain EMTALA because a patient with chest pain left the ED without treatment after he read left the ED without treatment after he read a sign which stated payment for non-a sign which stated payment for non-emergency conditions was expected at the emergency conditions was expected at the time of service.time of service.

What is an MSE?What is an MSE?

Determines whether or not an emergency medical condition exists.

More than initial screening or triage.

“The process required to reach with reasonable clinical confidence, the point at which it can be determined whether a medical emergency does or does not exists.”

Can be brief and simple or very complex, depending on the patient.

What is an Emergency Medical What is an Emergency Medical Condition?Condition?

A medical condition with acute symptoms of sufficient severity (including severe pain) that absence of immediate medical attention could reasonably be expected to result in:

Serious risk to an individual’s health;

Serious impairment to bodily functions; or

Serious dysfunction of an organ or body part

MSEMSE

If an individual Comes to the Emergency Department and requests an exam or treatment,

and the nature of the request makes it clear that the medical condition is not an emergency,

the hospital must only perform a screening that is appropriate for the patient to determine an emergency medical condition does not exist.

Who May Conduct an MSE?Who May Conduct an MSE?

A person who is determined qualified by A person who is determined qualified by Hospital bylaws or rules and regulations to Hospital bylaws or rules and regulations to provide emergency care,provide emergency care,

&&

who can provide any necessary stabilizing who can provide any necessary stabilizing treatment or an appropriate transfer, if an treatment or an appropriate transfer, if an emergency medical condition exists.emergency medical condition exists.

EMTALAEMTALA

Under Arkansas Law:Under Arkansas Law:

ONLY AONLY A PHYSICIANPHYSICIAN

CAN DETERMINE IF AN CAN DETERMINE IF AN EMERGENCY MEDICAL EMERGENCY MEDICAL

CONDITION EXISTSCONDITION EXISTS

STABILIZING TREATMENTSTABILIZING TREATMENT

If any individual is determined to have an If any individual is determined to have an emergency medical condition, the Hospital emergency medical condition, the Hospital mustmust either: either:

StabilizeStabilize the medical condition (within the medical condition (within its its capabilities);capabilities);

OROR

TransferTransfer the individual to another the individual to another facility facility in accordance with the regulations.in accordance with the regulations.

EMTALAEMTALAA hospital’s EMTALA obligation ends when a A hospital’s EMTALA obligation ends when a physician has made a decision that:physician has made a decision that:

No emergency exists;No emergency exists;

That an emergency exists which requires transfer to That an emergency exists which requires transfer to another facility, or the patient requests transfer to another facility, or the patient requests transfer to another facility; oranother facility; or

That an emergency exists and the patient is That an emergency exists and the patient is admitted admitted to the hospital for further stabilizing to the hospital for further stabilizing treatment.treatment.

ON-CALL PHYSICIANON-CALL PHYSICIAN

If the emergency department physician If the emergency department physician determines an on-call specialist physician’s determines an on-call specialist physician’s services are necessary, and services are necessary, and

the on-call physician is notified and fails or the on-call physician is notified and fails or refuses to appear within a reasonable time and refuses to appear within a reasonable time and transfer is ordered, transfer is ordered,

both the hospital & the on-call physician are at both the hospital & the on-call physician are at risk for violating EMTALA.risk for violating EMTALA.

PENALTIESPENALTIES

Penalties for EMTALA violations Penalties for EMTALA violations include fines of up to $50,000 per include fines of up to $50,000 per violation, and termination from the violation, and termination from the Medicare and Medicaid programs.Medicare and Medicaid programs.

Friday, Eldredge & Clark, LLPFriday, Eldredge & Clark, LLP

Jennifer SmithJennifer [email protected](501) 370-3378(501) 370-3378

Lynda Johnson Lynda Johnson [email protected]

(501) 370 - 1553(501) 370 - 1553

Documents

Arkansas Healthcare Association of Access Managers 2009 Fall Meeting November 19, 2009